Reset value when env var is changed from private to public

When env var is changed from private to public, we didn't nullify it, so someone doing that could miss exposing it. To minimise the risk of exposing any secure info we'll now nullify the value.
2014-09-10 10:46:13 +02:00 · 2014-09-10 10:46:13 +02:00 · e103b291ad
commit e103b291ad
parent 3e33ab15d5
3 changed files with 54 additions and 5 deletions
--- a/lib/travis/api/app/endpoint/env_vars.rb
+++ b/lib/travis/api/app/endpoint/env_vars.rb
@ -0,0 +1,31 @@
+require 'travis/api/app'
+require 'travis/api/app/endpoint/setting_endpoint'
+
+class Travis::Api::App
+  class Endpoint
+    class EnvVars < SettingsEndpoint
+      define_method(:name) { :env_vars }
+      define_routes!
+
+      def update
+        data = JSON.parse(request.body.read)[singular_name]
+        previously_public = record.public?
+        record.update(data)
+
+        # if we update from private to public reset value
+        if !previously_public && record.public?
+          record.value = nil
+        end
+
+        if record.valid?
+          repo_settings.save
+          respond_with(record, type: singular_name, version: :v2)
+        else
+          status 422
+          respond_with(record, type: :validation_error, version: :v2)
+        end
+      end
+
+    end
+  end
+end
--- a/lib/travis/api/app/endpoint/setting_endpoint.rb
+++ b/lib/travis/api/app/endpoint/setting_endpoint.rb
@ -21,13 +21,17 @@ class Travis::Api::App
      def create_settings_class(name)
        klass = Class.new(self) do
          define_method(:name) { name }
-          get("/", scope: :private) do index end
-          get("/:id", scope: :private) do show end
-          post("/", scope: :private) do create end
-          patch("/:id", scope: :private) do update end
-          delete("/:id", scope: :private) do destroy end
+          define_routes!
        end
      end
+
+      def define_routes!
+        get("/", scope: :private) do index end
+        get("/:id", scope: :private) do show end
+        post("/", scope: :private) do create end
+        patch("/:id", scope: :private) do update end
+        delete("/:id", scope: :private) do destroy end
+      end
    end

    # Rails style methods for easy overriding
--- a/spec/integration/v2/settings/env_vars_spec.rb
+++ b/spec/integration/v2/settings/env_vars_spec.rb
@ -83,6 +83,20 @@ describe Travis::Api::App::SettingsEndpoint do
    end

    describe 'PATCH /settings/env_vars/:id' do
+      it 'resets value if private key is made public' do
+        settings = repo.settings
+        env_var = settings.env_vars.create(name: 'FOO', value: 'bar')
+        settings.save
+
+        body = { env_var: { public: true } }.to_json
+        response = patch "/settings/env_vars/#{env_var.id}?repository_id=#{repo.id}", body, headers
+        json = JSON.parse(response.body)
+        json['env_var']['value'].should be_nil
+
+        updated_env_var = repo.reload.settings.env_vars.find(env_var.id)
+        updated_env_var.value.decrypt.should be_nil
+      end
+
      it 'should update a key' do
        settings = repo.settings
        env_var = settings.env_vars.create(name: 'FOO', value: 'bar')